b'          Office of Inspector General\n\n\n\n\nMarch 28, 2006\n\nRICHARD J. STRASSER, JR.\nCHIEF FINANCIAL OFFICER AND EXECUTIVE VICE PRESIDENT\n\nSUBJECT:       Internal Control Group (Report Number FT-MA-06-001)\n\nThis report presents the results of our review of the Internal Control Group (ICG)\n(Project Number 05BD002FT000). The review was conducted as part of our fiscal year\n(FY) 2005 Audit Plan.\n\n                                Objectives, Scope, and Methodology\n\nOur overall objective was to review the ICG\xe2\x80\x99s role in the U.S. Postal Service and how it\naccomplishes that role. Our specific objectives were to determine the scope of ICG\nwork at the headquarters, area, and district levels, and to assess ICG planning,\nfieldwork, and reporting policies and procedures and the ICG\xe2\x80\x99s use of the Internal\nControl Reporting System (ICRS) to record and track its work. To accomplish our\nobjectives, we interviewed ICG management at headquarters and employees at the\njudgmentally-selected Capital Metro Area and Richmond District. We also examined\ninformation maintained by the ICG on the Postal Service intranet. In addition, we\nreviewed the Internal Control-Integrated Framework, published by the Committee of\nSponsoring Organizations (COSO) of the Treadway Commission, for applicability to the\nICG. Finally, we relied on computer-generated data maintained in the ICRS.\n\nWe conducted this review from January 2005 through March 2006 in accordance with\nthe President\xe2\x80\x99s Council on Integrity and Efficiency, Quality Standards for Inspections.\nWe discussed our observations and conclusions with management officials and\nincluded their comments where appropriate.\n\n                                        Prior Audit Coverage\n\nWe did not identify any prior audits or reviews related to the objective of this review.\n\n                                              Results\n\nWe acknowledge the Postal Service\xe2\x80\x99s efforts to establish the ICG to assist management\nin proactively improving processes. We performed the review during the developmental\nphase of the ICG. Therefore, we were able to fully evaluate neither ICG planning,\n\x0cInternal Control Group                                                                                  FT-MA-06-001\n\n\n\nfieldwork, and reporting policies and procedures, nor the ICRS. Nevertheless, this\nreport provides information on the establishment, mission, structure, methodology,\nreporting system, and accomplishments of the ICG at the time of our review.\nFurthermore, we are including observations on the ICG\xe2\x80\x99s efforts for reporting on internal\ncontrols over financial reporting.\n\n                                         Establishment of the ICG\n\nThe need for the ICG was established in the Postal Service\xe2\x80\x99s Transformation Plan as\nreported in the 2004 Comprehensive Statement on Postal Operations. Further impetus\nfor the ICG resulted from the financial reporting reforms proposed by COSO and\nrequirements of the Sarbanes-Oxley Act (SOX) of 2002, and in response to the\nGovernment Accountability Office\xe2\x80\x99s (GAO) position that the Postal Service needed\nstronger internal controls.\n\nIn FY 2003, under the auspices of the Shared Services/Accounting (SS/A) project, field\naccounting work was reengineered, residual work was migrated to the three existing\naccounting service centers, and the 85 district accounting offices were discontinued.\nImplementation of the SS/A project was intended to streamline accounting processes\nand operate more efficiently without sacrificing internal controls and service.\n\nInitial staffing for the ICG was drawn from Executive and Administrative Salary\nSchedule (EAS) employees whose positions were eliminated during the implementation\nof the SS/A project. EAS employees in positions eliminated (manager, accounting\noperations; supervisor, financial services; revenue assurance analyst; and postal\nsystem coordinator) were the initial selection pool for ICG positions in district offices.\nThe Postal Service reported significant savings from the SS/A project, but these savings\ndid not include positions created in the ICG.\n\nThe headquarters ICG operations and program budget for FY 2005 was $6.8 million.1\nThis included headquarters-sponsored events that included field personnel, such as\ntraining and conferences. Costs associated with ICG field operations for FY 2005 were\napproximately $37 million2 and were part of the district managers\xe2\x80\x99 budgets.\n\nAs of April 2005, the ICG had 500 authorized positions at the district level (80 internal\ncontrol managers and 420 internal control analysts), of which 415 were filled. Because\nstaffing came primarily from the district accounting offices and, to some extent, the\nformer revenue assurance function, internal control analysts continued to assist in the\ntransition to a Shared Services/Accounting structure. Therefore, not all ICG field staff\nwere performing in full-time ICG roles.\n\n1\n  The eRise (Enterprise-wide, Risk Analysis, Internal Control, Sarbanes-Oxley, Excellence) program budget of\n$4.1 million is included in this amount. eRise is a key module in the Oracle e-Business suite. It is scheduled to\nreplace ICRS in FY 2006.\n2\n  This estimate was provided by the headquarters ICG manager and does not include facility costs and other\noverhead costs.\n\n                                                                2\n\x0cInternal Control Group                                                                                 FT-MA-06-001\n\n\n\n\n                                                     Mission\n\nThe ICG was formed in 2003 to assure compliance with policies and processes in order\nto confirm integrity in reporting results critical to transition and to the success of a more\nperformance-based culture. Internal control analysts partner with management\nenterprise-wide to identify, through analysis, risk assessment, and review, those internal\ncontrols that are not reliable, effective, or efficient. The ICG and management work to\nfind the root causes for identified deficiencies and make recommendations for\nimprovement, to provide reasonable assurance that desired business objectives are\nattained.\n\nThe ICG operates as an internal consultant by assisting management in proactively\nimproving processes by evaluating the internal controls in those processes. As such, it\nis not an internal audit function and does not follow professional auditing or other\nstandards.3 For example, the levels of supervisory review and quality control are not as\nextensive as those required under professional auditing standards. In addition, the ICG\nis not considered independent under such standards.\n\nICG analysts receive 20 hours of training in orientation and methods for performing\nreviews. In 2003, all field managers and analysts received this training. This training\ncontinues to be provided to new ICG personnel. In FY 2005, 94 new analysts received\nthe 20 hours of training.\n\n                                                 ICG Structure\n\nThe ICG is an integral part of Postal Service management, as shown by its reporting\nstructure. The headquarters\xe2\x80\x99 ICG function consists of an ICG manager, the Internal\nControl Support team, and the Corporate Audit and Response Management (CARM)\nteam. The headquarters function is also supported by area- and district-level personnel.\n(See Appendix A, ICG Reporting Structure.)\n\nThe ICG manager reports to the chief financial officer and executive vice president. The\nmanager is located at Postal Service Headquarters and provides leadership to the ICG\nfunction. The manager attends meetings of the Board of Governors Audit and Finance\nCommittee, provides quarterly reports to the Business Review Committee, and meets\nwith the Postal Inspection Service, as needed, on particular topics.\n\nThe Internal Control Support team reports to the ICG manager. This team consults with\nheadquarters process owners on process improvements, coordinates national review\nactivities, directs activities to develop new topics for review, and analyzes and reports\non summary data from field reviews. In 2004, staffing for this team was completed and\nconsists of a manager, Internal Control Support, eight specialists, and one analyst.\n3\n  Professional auditing standards include standards issued by the American Institute of Certified Public Accountants,\nInstitute of Internal Auditors, and GAO.\n\n                                                               3\n\x0cInternal Control Group                                                                                    FT-MA-06-001\n\n\n\n\nCARM also reports to the ICG manager. It acts as coordinator and liaison between\nmanagement and the U.S. Postal Service Office of Inspector General (OIG) and\nexternal auditors. Although it does not review Postal Service operations, CARM is\nexpected to benefit the ICG by providing information on risk management and improving\nits ability to respond to auditors. CARM was formed in 2002 and became a part of the\nICG in 2004. CARM is led by a manager and includes eight analysts.\n\nThe headquarters ICG function is assisted in each area by the area finance manager\nand area accounting manager. The area finance manager\xe2\x80\x99s primary role is to\ncoordinate activities and act as liaison between the headquarters team and respective\ndistricts. The area accounting manager facilitates area-level risk assessment and\nprioritization, directs reviews of area-selected topics, coordinates training requirements,\nand advises headquarters ICG on district ICG issues.\n\nThe ICG activities at the district level are the heart of the ICG function. Here, the ICG\nfunction is led by a district internal control manager who reports to the district finance\nmanager. The district internal control manager oversees a staff of three to nine internal\ncontrol analysts who perform reviews at field sites using predetermined review steps for\na given Postal Service process. Costs associated with the ICG function at this level are\nfunded by the district.\n\n                                               ICG Methodology\n\nAn ICG risk assessment4 is built from the district level through the areas and to\nheadquarters. This method results in national priorities that are generally aligned with\ndistrict priorities, so that ICG work plans at the districts include national priorities. Work\nis generally selected based on results of the risk assessment. As time progresses,\nfurther data analysis, new information, and events could lead to reprioritizing items in\nthe risk assessment or recognition of potential risks that were not captured.\nAccordingly, district ICGs continue evaluating risk assessment results against their\ncurrent environment and adjust work plans based on those assessments. For example,\na district manager was concerned about declining mail volume, and the local ICG team\nresponded with a review in the subject area. Also, one ICG manager determined that\nbusiness mail entry units, a national priority based on risk, was not a top priority at that\ndistrict. Therefore, the manager assigned reviews in other Postal Service processes\nthat had a higher priority in that district.\n\nThe ICG has three programs \xe2\x80\x93 financial, performance, and revenue. Each of these has\na library of detailed review topics. In conducting a review, analysts evaluate internal\ncontrols within a given Postal Service process, such as stamp stock accountability,\n\n4\n  The risk assessment model is a tool used to develop work plans for the ICG. It provides a snapshot of potential risk\nat a point in time based on (1) inherent risk, the amount of dollar exposure in the process; (2) control risk, the nature\nof the controls in the process; and (3) prior coverage, the elapsed time since the process was last reviewed by the\nICG.\n\n                                                                 4\n\x0cInternal Control Group                                                                                  FT-MA-06-001\n\n\n\ndisbursements, asset security, registered mail, automated postal centers, master trust\nreconciliations, business mail acceptance, business reply mail, and detached mail units.\n\nMany controls evaluated are the same or similar to those examined by the OIG in\nconducting field financial audits. For example, both ICG and OIG programs determine\nwhether retail floor stock exceeds authorized amounts, and if cash counts are\nperformed at the required frequencies. The OIG, however, completes work as part of\nan overall audit in accordance with professional auditing standards. Although the ICG\ndoes not complete work as part of an overall audit, approximately 80 percent of its work\nis directed at evaluating controls and making recommendations for improvements for\nrisks identified in the annual risk assessment and prioritization. This work may include\nareas that are also covered by the OIG.\n\nThe ICG has 527 authorized positions5 and an operating budget of approximately\n$39.6 million6 that it uses to accomplish its program work. Approximately 15 percent of\nits work and $5.5 million of its operating budget are directed to cyclical topics7 covering\nthe same or similar areas covered by the OIG. The OIG dedicated 84 authorized\npositions and $8.9 million of its operating budget to accomplish its audits in the same or\nsimilar program areas.\n\nWhile the ICG and OIG may conduct work on the same or similar topics, the objectives\nare different. The ICG performs the monitoring function of the internal control structure8\nby selecting data-driven reviews to evaluate internal controls, determine root causes for\ncontrol weaknesses, and make recommendations to improve control effectiveness and\nefficiency. On the contrary, the OIG performs statistically-selected audits in support of\nthe annual financial statement opinion in accordance with auditing standards generally\naccepted in the United States and the standards applicable to financial audits contained\nin Government Auditing Standards, issued by the Comptroller General of the United\nStates. (See Appendix B for a comparative analysis of ICG and OIG program work.)\n\n                             Reporting Results and Accomplishments\n\nThe ICG uses the ICRS, a web-based system, to track work in progress and maintain a\nrecord of completed work. The ICRS is a database that serves as the internal control\nanalysts\xe2\x80\x99 workpapers. It enables the analysts to record their work, and supervisors and\nothers in authority to oversee the work done. The system also maintains\nrecommendations by site and reviews9 issued. The system provides ICG statistical\ndata, such as the most frequent reportable conditions, including weaknesses in internal\n\n5\n  As of September 30, 2005.\n6\n  FY 2005 headquarters and field budget information, not including the eRise program budget and overhead costs\nsuch as facilities.\n7\n  Cyclical reviews represent items that, in general, have adequate controls to mitigate risk. However, periodic\nreviews are needed to ensure that controls continue to work as designed.\n8\n  Monitoring is one of five interrelated components of internal control, as identified by COSO\xe2\x80\x99s Internal Control \xe2\x80\x93\nIntegrated Framework.\n9\n  Generally, a report consists of one review.\n\n                                                                5\n\x0cInternal Control Group                                                                             FT-MA-06-001\n\n\n\ncontrols, and statistics by area and district. The system also provides statistical data by\ntypes of reviews \xe2\x80\x93 for example, money orders, business reply mail, and payroll.\n\nAlthough each topic is generally a separate review, it may be combined with the results\nof another topic at the same site, if conducive, and tracked in the system as a single\nreview. For example, if the analyst performs some or all of the steps in review topic\n2000, Stamp Stock Accountability, SIA Office, that work is considered one review. If the\nanalyst then performs steps in topic 3000, Money Orders, at the same location, it is\nconsidered a second review. For reporting purposes, the analyst, however, may\ncombine the results from 2000 and 3000 into a single review. As of May 11, 2005, the\nICG had performed 16,586 reviews, and 2,703 reviews were in progress.10\n\nWhen analysts complete their reviews, they prepare written reports for the district\nfinance or internal control manager\xe2\x80\x99s review and signature using a standardized format.\nPostal Service management is expected to respond within 30 days of receiving the\nreport. When a recommendation for a policy or standard procedure change is not within\nthe authority of the unit or district manager, area managers consider whether the\nrecommendation should be forwarded to ICG headquarters for further action. For\nexample, the field ICG in the Pacific Area developed recommendations for\nimprovements in controls for media mail that included changes in nationally established\nprocedures. The recommendations were submitted through the Pacific Area to\nheadquarters ICG, and resulted in establishing national procedures for periodic\nmanagement inspections of media mail.\n\nThe ICG expects to transition from ICRS to the internal controls manager application in\nFY 2006, but ICRS data will be available through FY 2007. Internal control programs,\napproach, and methodologies will not change, and data from ICRS will be accessible for\ntracking and analysis.\n\n                  Reporting on Internal Controls Over Financial Reporting\n\nThe ICG, in coordination with Finance, participates in management actions to voluntarily\ncomply with portions of Section 404 of SOX.11 Under Section 404, businesses must\nacknowledge management\xe2\x80\x99s responsibility for maintaining adequate internal control\nmechanisms for financial reporting and evaluate the efficacy of such mechanisms.\n\n\n\n\n10\n   We attempted to ascertain the number of recommendations since the inception of the ICG, but ICRS could not\nreadily provide the information.\n11\n   SOX provisions do not apply to the Postal Service. However, Postal Service management stated that it remains\ncommitted to a continuing effort to achieve voluntary compliance with Section 404 of SOX.\n\n                                                             6\n\x0cInternal Control Group                                                                           FT-MA-06-001\n\n\n\nTo achieve compliance, the ICG and the controller\xe2\x80\x99s function have been working to map\neight major processes:\n\n                \xe2\x80\xa2   Cash\n                \xe2\x80\xa2   Payroll\n                \xe2\x80\xa2   Transportation\n                \xe2\x80\xa2   Meter revenue\n                \xe2\x80\xa2   Money orders\n                \xe2\x80\xa2   Real estate transactions\n                \xe2\x80\xa2   Contract payments\n                \xe2\x80\xa2   Accruals \xe2\x80\x93 month- and year-end closing process\n\nMore than 300 processes and subprocesses have been documented, and three teams\nhave been reviewing end-to-end processes for cash, money orders, and meter\nallocations.12\n\nIn its report on internal control and other matters to the Audit and Finance Committee\nand Postal Service management, the independent public accountants, Ernst & Young,\nLLP, supported management\xe2\x80\x99s initiative begun in FY 2004 towards voluntary\ncompliance with portions of Section 404 of SOX. They also recommended that\nmanagement continue the momentum it has started and set a goal to review its overall\nstrategic plan and timetable for this initiative. In addition, they recommended\nmanagement continue to communicate its path to the Audit and Finance Committee.\n\nManagement views SOX compliance as a viable plan for documenting, testing, and\nmonitoring controls over financial reporting. Priority business initiatives for improvement\nand limited resources have affected the timeline for meeting management targets for\nvoluntary compliance with portions of SOX, but the Postal Service\xe2\x80\x99s efforts and\ncommitment are expected to continue.\n\nWe discussed the results of this review with Postal Service management on March 14,\n2006. No recommendations were made, and management chose not to respond to this\nreport. No action by management was required.\n\n\n\n\n12\n     Process documentations are in the draft phase and not available for release at this time.\n\n                                                                  7\n\x0cInternal Control Group                                                       FT-MA-06-001\n\n\n\nWe appreciate the opportunity and courtesies provided by your staff during the review.\nIf you have any questions or need additional information, please contact Lorie Siewert,\ndirector, Financial Statements, or me at (703) 248-2300.\n\n    E-Signed by John Cihota\n ERIFY authenticity with ApproveI\n\n\n\n\nJohn E. Cihota\nDeputy Assistant Inspector General\n for Financial Operations\n\nAttachments\n\ncc: Patrick R. Donahoe\n    William P. Galligan, Jr.\n    Lynn Malcolm\n    Margaret A. Weir\n    Steven R. Phelps\n\n\n\n\n                                               8\n\x0cInternal Control Group                            FT-MA-06-001\n\n\n\n\n                          APPENDIX A\n\n          INTERNAL CONTROL GROUP REPORTING STRUCTURE\n\n\n\n\n                                 9\n\x0cInternal Control Group                                                                                                                      FT-MA-06-001\n\n\n\n                                                                  APPENDIX B\n\n        COMPARATIVE ANALYSIS OF ICG AND OIG PROGRAM WORK\n\n                                                                Comparison of Effort\n                                                       Postal Service Programs Reviewed by:\n\n                               Internal Control Group                                  Office of Inspector General\n                                                                ICG and OIG work\n                             80% Risk Priority Topics                                  Financial Operations\n                                                               conducted in same or\n                                 15% Cyclical Topics               similar areas       Core Operations\n                                             5% other                                  Headquarters Operations\n                                                               ICG Cyclical Topics\n                                                                  Stamp Stock\n                                                                 Accountability\n                   ICG Risk Priority Topics                      Disbursements\n                                                                 Asset Security                            Other OIG Programs\n           Identified through Risk Assessment and                 Business Mail\nICG                      Prioritization                            Acceptance                       Identified in fiscal year audit plans\nOther                                                          Business Reply Mail\n             NOTE: May include parts of ICG cyclical           Detached Mail Units\n            topics if particular controls are evaluated as                                 NOTE: Audit plans are updated throughout the fiscal year\n                            risk priorities.                  OIG Financial Program\n                                                               Financial Statements\n                                                                  Field Financial\n\n\nNote: The diagram shows where ICG and OIG conduct work in the same or similar areas. There are other ICG activities not related to OIG\nwork, and OIG work not related to ICG work, as illustrated by the non-intersecting portions of the diagram.\n\n\n                              ICG                                                                                  OIG\n                                                   Authorized Positions as of September 2005\n\n                                     Cyclical         Total                                                           Field Financial    Total Audit\n          Headquarters                                  21                             Field Financial                            84\n          Field                            80          506\n                                                                                       Total Audit                                               356\n          Total                            80           527\n\n                                Note: ICG Cyclical is estimate based upon 15% of work assigned to cyclical topics.\n\n                                                 Funding of Operations ($Millions) for FY 2005\n\n                                     Cyclical         Total                                                           Field Financial    Total Audit\n          Headquarters                                  2.6                            Field Financial                           8.9\n          Field                            5.5         37.0\n                                                                                       Total Audit                               8.9            27.3\n          Total                            5.5         39.6\n\n                                Note: ICG Cyclical is estimate based upon 15% of work assigned to cyclical topics.\n\n                                                         Professional Standards Followed\n\n          None\xe2\x80\x94Certification program under                                             Government Auditing Standards\n          consideration                                                                PCIE Quality Standards for Inspections\n          ICG Analysts receive 20 hours training in                                    AICPA\xe2\x80\x94Auditing Standards Generally Accepted\n          review methods at time of appointment                                          in the U.S.\n\n                                                                Purpose of Work\n\n          Provide recommendations to management                                        Provide support for the annual financial statement opinion by\n          regarding internal control weaknesses.                                       the independent public accountant.\n\n\n\n\n                                                                                      10\n\x0c'